diff options
author | nicosomb <nicolas@loeuillet.org> | 2013-04-15 14:09:58 +0200 |
---|---|---|
committer | nicosomb <nicolas@loeuillet.org> | 2013-04-15 14:09:58 +0200 |
commit | cf3180f6b8c552bbf7214d1ba72fbf1fc90ef861 (patch) | |
tree | 86d0cad24ed4891165d720a3bb19fffe6f55c73b /inc/functions.php | |
parent | 358ab47957de18183aa3d3f7a62b631cd131f41f (diff) | |
download | wallabag-cf3180f6b8c552bbf7214d1ba72fbf1fc90ef861.tar.gz wallabag-cf3180f6b8c552bbf7214d1ba72fbf1fc90ef861.tar.zst wallabag-cf3180f6b8c552bbf7214d1ba72fbf1fc90ef861.zip |
vérificatio CSRF et mise en page
Diffstat (limited to 'inc/functions.php')
-rwxr-xr-x | inc/functions.php | 30 |
1 files changed, 27 insertions, 3 deletions
diff --git a/inc/functions.php b/inc/functions.php index 45828bf2..30e00393 100755 --- a/inc/functions.php +++ b/inc/functions.php | |||
@@ -125,7 +125,7 @@ function prepare_url($url) | |||
125 | /** | 125 | /** |
126 | * Appel d'une action (mark as fav, archive, delete) | 126 | * Appel d'une action (mark as fav, archive, delete) |
127 | */ | 127 | */ |
128 | function action_to_do($action, $id) | 128 | function action_to_do($action, $id, $url, $token) |
129 | { | 129 | { |
130 | global $db; | 130 | global $db; |
131 | 131 | ||
@@ -140,8 +140,11 @@ function action_to_do($action, $id) | |||
140 | $params_action = array($url, $parametres_url['title'], $parametres_url['content']); | 140 | $params_action = array($url, $parametres_url['title'], $parametres_url['content']); |
141 | break; | 141 | break; |
142 | case 'delete': | 142 | case 'delete': |
143 | $sql_action = "DELETE FROM entries WHERE id=?"; | 143 | if (verif_token($token)) { |
144 | $params_action = array($id); | 144 | $sql_action = "DELETE FROM entries WHERE id=?"; |
145 | $params_action = array($id); | ||
146 | } | ||
147 | else die('CSRF problem'); | ||
145 | break; | 148 | break; |
146 | default: | 149 | default: |
147 | break; | 150 | break; |
@@ -224,4 +227,25 @@ function get_article($id) | |||
224 | } | 227 | } |
225 | 228 | ||
226 | return $entry; | 229 | return $entry; |
230 | } | ||
231 | |||
232 | /** | ||
233 | * Vérifie si le jeton passé en $_POST correspond à celui en session | ||
234 | */ | ||
235 | function verif_token($token) | ||
236 | { | ||
237 | if(isset($_SESSION['token_poche']) && isset($_SESSION['token_time_poche']) && isset($token)) | ||
238 | { | ||
239 | if($_SESSION['token_poche'] == $token) | ||
240 | { | ||
241 | $old_timestamp = time() - (15*60); | ||
242 | if($_SESSION['token_time_poche'] >= $old_timestamp) | ||
243 | { | ||
244 | return TRUE; | ||
245 | } | ||
246 | else return FALSE; | ||
247 | } | ||
248 | else return FALSE; | ||
249 | } | ||
250 | else return FALSE; | ||
227 | } \ No newline at end of file | 251 | } \ No newline at end of file |